MJP Security Tools is a focused hardening plugin that does four things well:
- XSS Database Scanner — scans every table for
<script>,<iframe>,onclick,javascript:and other injection patterns - POST Request Log — records all POST data (passwords masked) with IP, user agent, and URL for CSRF/audit detection
- Failed Login Log — tracks every failed login attempt with username, IP, and timestamp
- File Permission Checker — verifies WordPress root files and directories have safe permissions, checks for missing
index.htmlfiles and SVN working copies
What this plugin does NOT do (because WordPress core already handles it):
- SSL enforcement — use
FORCE_SSL_ADMINor let WordPress 5.7+ auto-redirect - Password strength — WordPress core enforces strong passwords since 4.3
- Login rate limiting — use a dedicated plugin like Limit Login Attempts Reloaded
- Version number hiding — marginal benefit, not worth the complexity
Upgrading from v1.x:
- The admin page has moved from jQuery UI tabs to native WordPress nav tabs
- SSL forcing, password enforcement, login throttling, version hiding, admin username changing, database prefix randomization, password reset, and .htaccess generation have been removed — WordPress core and dedicated security plugins handle these better
- PHP sessions replaced with WP transients for flash messages
- Log data is now stored as JSON instead of serialized PHP
- The Javacrypt client-side crypt(3) script has been removed
